Tag Archives: RSA

There is heaps of information about configuring a Mikrotik Router as an OpenVPN server on the net. The following simply documents what I found when I tried to follow in their footsteps.

The first reference I found was Medo’s instructions on how to configure the VPN, I used this to create the certificates, configure the server and get close to a working solution.

However my configuration was a little different in that the remote device I was connecting too (RB411 over 3G) did not have a FQDN only a fixed IP. So for the ca-template and server-template I used the Fixed IP (xx.xx.xx.xx) for the common name, for the client-template I used the name of the router (RouterName).

Now getting the certs off the remote router was also “interesting”. This wasn’t something that I’d really done before. So after a bit of googling and some trial and error I ended up using the pscp utility that is part of the PuTTY package. You can find the relevant certificates using the /file command.

Once I had the certs on my local machine I could continue to follow Medo’s blog.

Now I didn’t want the VPN users to end up in a different IP address space, so I changed my VPN DHCP pool range to be just under the usual Ethernet pool and then set the VPN local address to be the next address under the VPN pool. Here’s a quick overview;

Now before anyone says anything you need to change the name and password to suit your own VPN user, at the very least make sure you use a good password. You’ll notice I dropped the AES-128 and AES-192 ciphers in preference to the 256bit option. More on this later.

This is where I ran into trouble that took me a while to resolve.

I had installed OpenVPN GUI 2.4.5 which simply refused to connect, it throws TLS errors that are odd. It turns out that as of OpenVPN 2.3.11 there was a change made that makes it incompatible with older Mikrotik routers, you can read all about it here and there is more information here.

This post also talks about being able to use the tls-cipher parameter to force the client to relax it’s checking of certificates, however I wasn’t able to make this work. It appears that the latest version of RouterOS have fixed this issue, but that has to wait until I’m next at the console of this particular router to upgrade it.

So after uninstalling the latest OpenVPN 2.4.5 GUI and installing an older version OpenVPN 2.3.10, I was able to connect to my RB411 with v3.2.2 firmware with the following config;

As you may notice I use Windows for my main machine, so Mac and Linux users will have to do a little more googling on how to specify the paths in this file. Now the cipher matches the tweak I made to the ovpn-server within the mikrotik router limiting the choice to AES-256 bit.

The proof is in the pudding, after copying all of the certs and config into the approriate directory I could get the VPN client to connect to my remote Mikrotik RB411 router over the VPN. Many thanks to Medo for blogging his adventures with RouterOS and I hope the suggestions I’ve made above are useful to some.